Demystifying Zero-Knowledge Proofs
Elena Nadolinski
@leanthebean
elena@beanstalk.network
Who is this workshop for:
Where to get these slides & links
Twitter: @leanthebean
What we’ll go over
Part 1 - theory
Part 2 - coding
Coding Part:
What we’ll go over
Part 2 - coding
What is a ZKP?
What is a ZKP?
The ability to prove honest computation �without revealing inputs
ZKPs ≠ privacy
SNARKs
STARKs
Bulletproofs
ZKPs ==
honest computation
f(x) = y
f(x) = y
f(x) = y
History
| Proof Size | Prover Time | Verification Time |
SNARKs �(has trusted setup) | | | |
STARKs | | | |
Bulletproofs | | | |
| Proof Size | Prover Time | Verification Time |
SNARKs �(has trusted setup) | 288 bytes | 2.3s | 10ms |
STARKs | 45KB-200KB | 1.6s | 16ms |
Bulletproofs | ~1.3KB | 30s | 1100ms |
Projects using ZKPs
SNARKs
Zcash: has optional shielded transactions that use zk-SNARKs
Has a ceremony for the trusted setup per circuit upgrade
Projects using ZKPs
SNARKs
Use recursive SNARKs to give a merkle root of latest global state with a proof
New nodes do not have to sync from the genesis block to build up their in-memory global state
Projects using ZKPs
Bulletproofs
Use Bulletproofs for more efficient range proofs only and not for privacy directly
Projects using ZKPs
zk-STARKs
Batching transactions off-chain for a decentralized exchange (DEX)
Open Source Projects
SNARKs � | Zokrates a great SNARK domain specific language (DSL) for generating proofs and validating them on Ethereum Bellman Rust implementation Snarky OCaml implementation (DSL) LIbsnark C++ Iden3’s Circum (DSL) & SnarkJS Javascript Implementation Republic Protocol’s zksnark-rs (DSL) Rust implementation DIZK Java Distributed system Go-SNARK zkSNARK library implementation in Go |
STARKs | Go implementation (with pretty useful links!) |
Bulletproofs | Ristretto Rust implementation with GREAT documentation (maintained by Chain/Interstellar) |
Modular Math
22 (mod 12) = 10
Because 12 divides 22 one time evenly with 10 as the remainder
3 + 16 (mod 12) = 7
And so on
Diffie Hellman (1976)
(Learn more on early cryptography from The Code Book)
Diffie Hellman (1976)
Diffie Hellman (1976)
Diffie Hellman (1976)
Diffie Hellman (1976)
Diffie Hellman (1976)
Diffie Hellman (1976)
Now Alice and Bob know to encrypt/decrypt their messages using the shared secret 18
RSA (1977)
RSA
n = p * q = 55
RSA
n = p * q = 55
RSA
n = p * q = 55
e = 7
RSA
n = p * q = 55
e = 7
d * e mod(totient) = 1
d = 23
RSA
private key e = 7 and public key d = 23
message to sign= 8
RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
Anyone can check the signature using the public key 23
RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
Anyone can check the signature using the public key 23
m = 223 mod 55 = 8
Fiat-Shamir (1986)
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Fiat-Shamir
Elliptic Curve Cryptography
Elliptic Curve Cryptography
y2 = x3 + ax + b
(where 4a3 + 27b2 ≠ 0)
Elliptic Curve Cryptography
~ ¾ of 100k top websites use ECDHE (https://) � (Elliptic Curve Diffie-Hellman Exchange)
96.1% of those use P256 curve (a NIST standard): � y2 = x3 - 3x + b (mod p)
Parameters generated from hashing a seed
From a video by Dan Boneh
Elliptic Curve Cryptography
~ ¾ of 100k top websites use ECDHE (https://) � (Elliptic Curve Diffie-Hellman Exchange)
96.1% of those use P256 curve (a NIST standard): � y2 = x3 - 3x + b (mod p)
Parameters generated from hashing a seed
From a video by Dan Boneh
NSA Conspiracy Theory
Elliptic Curve Cryptography
Abelian Group Properties for a set 𝔾
ECC - Addition
Given 3 aligned non-zero points, their sum is: P + Q + R = 0
ECC - Addition
If P + Q + R = 0, then P + Q = -R
If we draw a line between 2 pts P and Q, it’ll intersect at a point R
Since P + Q = -R we can easily find R and use it to compute addition of two points from it
ECC - Addition
P + Q = -R
m = (3xP3 + a) / 2yP
xR = m2 - xp - xQ
yR = yP + m(xR - xP) = yQ + m(xR - xQ)
ECC - Addition
P + P = -R for Q = P = (1, 2) on y2 = x3 - 7x + 10
m = (3xP3 + a) / 2yP = -1
xR = m2 - xp - xQ = -1
yR = yP + m(xR - xP) = yQ + m(xR - xQ) = 4
So P + P = (-1, -4)
ECC - Multiplication
nP = P + P + … + P
(We have clever optimization techniques to do this fast)
n times
ECC - Multiplication
nP = P + P + … + P
nP = Q : fairly easily to compute
n = Q/P : very hard to compute (no efficient method)
Logarithm Problem (it’s not called division for conformity reasons)
n times
ECC - Multiplication
nP = P + P + … + P
nP = Q : fairly easily to compute
n = Q/P : very hard to compute (no efficient method)
Logarithm Problem (it’s not called division for conformity reasons)
But we’re missing cycles
n times
ECC - Finite Fields & Discrete Log
Finite field 𝔽p: set of elements (mod p) where p is prime
y2 = x3 + ax + b (mod p)
y2 = x3 - 7x + 10
p = 19
p = 127
p = 97
p = 487
ECC - Finite Fields (Addition)
P + P = ? in a finite field
ECC - Finite Fields (Addition)
P + P = ? in a finite field
P + P = (-1, -4) on y2 = x3 - 7x + 10
For a finite field on p = 19
-1 (mod 19) = 18
-4 (mod 19) = 15
So P + P on y2 = x3 - 7x + 10 (mod 19) = (18, 15)
ECC - Groups
y2 = x3 + 2x + 3 (mod 97) at point P(3, 6)
Let’s calculate some multiples of P
n = 0
n = 1
n = 2
n = 3
n = 4
n = 5
Same as n = 0
n = 6
Same as n = 1
n = 7
Same as n = 2
n = 8
Same as n = 3
n = 9
Same as n = 4
n = 10
Same as n = 5, 0
n = 11
Same as n = 1, 6
n = 12
Same as n = 2, 7
… and the pattern continues
ECC - Groups
y2 = x3 + 2x + 3 (mod 97) on P(3, 6) we saw a cycle
There are just 5 distinct points:
0, P, 2P, 3P, 4P
ECC - Groups
y2 = x3 + 2x + 3 (mod 97) on P(3, 6) we saw a cycle
There are just 5 distinct points:
0, P, 2P, 3P, 4P
These five points are closed under addition. However you add 0, P, 2P, 3P or 4P, the result is always one of these five points.
ECC - Groups
The point P(3, 6) on y2 = x3 + 2x + 3 (mod 97)
is therefore said to be a generator
or base point of the cyclic subgroup
and the order of this subgroup is
therefore 5
(the smallest n such that nP=0)
ECC - Groups
Q = nP mod p : easy to calculate
n = P/Q mod p : discrete logarithm problem
If you choose your curve, parameters, and generator point carefully, finding n becomes very very very hard
And this is exactly how the ECDSA signature scheme works
ECDSA
ECDSA signature (used in Bitcoin, Ethereum, etc):
ECDSA
A Bitcoin private key is 256 bits and gives 128-bit security level
To achieve the same security with RSA you would need 3092 bit length key
Pedersen Commitments
Tool for Confidential Transaction: Pedersen Commitment
Used in privacy coin Grin
Learn more about how Grin works
Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could precompute popular amount denominations
Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could precompute popular amount denominations
Solution: add a blinding factor
Com(v) = vG + bH
Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could precompute popular amount denominations
Solution: add a blinding factor
Com(v) = vG + bH
Where G and H are generator points
b is random number used as a blinding factor
Pedersen Commitments
The cool property of Pedersen Commitments (or sometimes called hashes) is that you can add them to check equality
Com(v1) = v1G + b1H
Com(v2) = v2G + b2H
Such that:
v2G + b2H + v1G + b1H = G(v2 + v1) + H(b1 + b2)
Bulletproofs (Range Proofs)
Proving that a number is within a range
v ∈ [0,2n)
Zero Knowledge about the Inner Product of Two Vectors
Learn more how Bulletproofs work
Bulletproofs (Range Proofs)
Any number can be represented as inner product of two vectors.
5 = <[1, 0, 1] , [22, 21, 20]>
5 equals inner product of 2 vectors [1, 0, 1] and [22, 21, 20]
Bulletproofs (Range Proofs)
This is also how binary works
101binary = 5decimal since 1(22) + 0(21) + 1(20)
Bulletproofs (Range Proofs)
v = <a, 2n>
Example:
v = 5 and we wanted to prove that 5 is in range of 0 to 2n without showing 5
v ∈ [0,2n)
Bulletproofs (Range Proofs)
5decimal = 101binary = 1(22) + 0(21) + 1(20)
Need at least 3 bits to represent 5: n has to be at least 3
23 = 8
Therefore it’s clear that 5 must be in range of 0 to 2n
Bulletproofs (Range Proofs)
v = <a, 2n>
We need to prove that:
STARKs
Please refer to Remco from 0x for all your STARK questions :)
SNARKs
There are many (50+) variants of SNARKs
QAP variant (quadratic arithmetic program):
Computation → Arithmetic Circuit → R1CS → QAP → SNARK
Check out this excellent primer by Decentriq
SNARKs - Computation
x * y + 4 = 10
Prover wants to prove that they know values x and y
SNARKs - Arithmetic Circuit
x * y + 4 = 10
x
y
4
*
+
10
constraint 1
output1
constraint 2
SNARKs - Arithmetic Circuit
x
y
4
*
+
10
constraint 1
output1
Constraint 1:
output1 = x * y
Constraint 2:
output1 + 4 = 10
Constraint 3:
Equality constraint
constraint 2
SNARKs - R1CS
x
y
4
*
+
10
constraint 1
output1
constraint 2
Constraint has a left input, right input and output
Such that:
left(L) * right(R) = output(O)
With 3 vectors:
<L, v> * <R, v> = <O, v>
v is the variable vector
v = [1, x, y, output1]
SNARKs - Arithmetic Circuit
<L, v> * <R, v> = <O, v>
v = [1, x, y, output1]
Constraint 1: x * y = output1
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2: (output1 + 4) * 1 = 10
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
x
y
4
*
+
10
constraint 1
output1
constraint 2
SNARKs - QAP
Create polynomials for each constraint using Lagrange interpolation
L * R = O
Constraint 1:
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2:
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
L1[1] = 0 (look at 1st constraint, 1st element of L)
L1[2] = 4 (look at 2nd constraint, 1st element of L)
2 points: (1, 0) and (2, 4). We can use Lagrange interpolation to get a polynomial: 4x - 4
L1(x) = 4x - 4
And we do this for each constraint, for each variable Li(x), Ri(x), Oi(x)
SNARKs - QAP
L * R = O
Constraint 1:
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2:
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
L1(x) = 4x - 4
L2(x) = -1x + 2
L3(x) = 0
L4(x) = 1x - 1
SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x)
SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x) = T(x) * H(x)
T(x) is a publicly known evaluation used for Verification
SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x) = T(x) * H(x)
T(x) is a publicly known evaluation used for Verification
H(x) is provided by the Prover and divides �L(x) * R(x) - O(x) evenly (without remainder)
SNARKs - QAP
L(x) * R(x) - O(x) = T(x) * H(x)
The Prover would send evaluations of x for L, R, O, and H polynomials
But how would we ensure that:
SNARKs - QAP
L(s) * R(s) - O(s) = T(s) * H(s)
s is a linear combination of (g, s⋅g ,…, sd⋅g) of length d (which corresponds to the max degrees of these polynomials)
This achieves two things:
SNARKs
How can we evaluate a value that is encrypted?
Ex: Instead of sending s plaintext, we can send E(s)
E(s) = sG
(where G is a generator point on a elliptic curve)
SNARKs
We can still do evaluations of E(s), even though it’s encrypted (sometimes called homomorphic addition):
Example:
E(3) + E(4) = E(3 + 4) = E(7)
SNARKs
L(s) * R(s) - O(s) = T(s) * H(s)
Using encrypted s, the Prover would send back:
E(L(s)), E(L(s)), E(O(s)), E(L(s)),
SNARKs
L(s) * R(s) - O(s) = T(s) * H(s)
Using encrypted s, the Prover would send back:
E(L(s)), E(L(s)), E(O(s)), E(L(s)),
But we still don’t have zero-knowledge as some information about the assignment is leaked
SNARKs
L(s) * R(s) - O(s) = T(s) * H(s)
Adding zero-knowledge:
The Prover simply adds a form of a blinding factor to the L, R, O evaluations
SNARKs - Protocol
SNARKs - what’s left
SNARKs - the Future
Let’s Go Ahead and Build One!
Part 2:
Zokrates